Support

Disabling your security as a whole is never a good idea. It's the equivalent of torching your house to make a smoke detector stop beeping because of a low battery.

I suppose that by "Citrix" you mean their desktop virtualization software which is presumably installed somewhere under your organization's control. This would mean that all of these users connecting to your site appear to be coming from the same IP address or IP address cluster (where Citrix' server software is installed). This means that one user doing something to get themselves blocked would impact all of the other users connecting through the same Citrix server since they all appear to be coming from the same IP address. That IP address was either auto-blocked or someone with Super User privileges manually blacklisted it in Admin Tools' IP Blacklist in error.

Unblocking these IPs and then adding them to "never block these IPs" would address your issue.

If unsure, you can clear all auto-blocked IPs, the IP autoblocking history, the security exceptions log and the IP blacklist. Then you can have a user connecting through Citrix virtual desktop trigger a security exception and see which IP gets logged in the Security Exceptions Log. You can then put it in the "Never block these IPs" list to prevent it from being blocked.

Admin Tools will either block a request based on the user doing something or it will block an IP either permanently or temporarily.

In the first case there is an entry in the Security Exceptions Log.

In the second case the IP address is either in the IP Blacklist (permanent banning) or in the Auto IP Blocking Administration. However, if you see an IP in the Auto IP Blocking Administration you also see it in the Security Exceptions Log.

Unless you are talking about users being unable to access the backend of the site (/administrator) in which case you should be looking in the IP Whitelist, assuming that you have enabled the IP whitelist feature in the Configure WAF page.

There is no mode of operation which would silently block an IP address with no other information provided anywhere.

Moreover, if an IP address is whitelisted it is not subject to any of the security checks.

At this point I have to assume that you are either missing something or you are miscommunicating what is going on.

Please tell me what happens when an affected user tries to access the site. First of all, is it the public frontend or the administrator backend?

The error message they get, does this message match the "Custom message" or the "Show this message to blocked IPs" in the Configure WAF page and if it does, which one?

What is the setting of "Enable IP workarounds" in the Configure WAF page?

Do you have access to the site?

Are you behind the same virtual desktop server or not?

Have you checked your server's access logs to make sure that the IP address of the virtual desktop server is actually the one your server sees when the user tries to access your site?

Computers work in predictable ways. The problem is that they are what we call a "chaotic system" i.e. a system that's too complex for human minds to fully hold and where a small change can cause a seemingly unrelated, big change. I refuse to throw my hands in the air and declare it's the computer god's will or something like that. I have found that analyzing a problem lets us understand it better and come up with a solution.

The paranoia of the IT department or the timing of this issue is irrelevant. I am not saying this as an aphorism but because I understand the nature of IP blocking.

When a client (another computer) sends a request to your site it sends with it the IP address as part of the TCP/IP packets used to transfer the request data. This information is picked up by Apache and put in the REMOTE_ADDR environment variable. PHP picks that up and puts it in the $_SERVER['REMOTE_ADDR'] super global array element.

However, when you have things like a CDN, a caching proxy, an NginX server set up as a reverse proxy or generally any non-transparent network equipment between the client and the server that address is not the client's address. It's the non-transparent network equipment's address.

In most cases an HTTP header X-Forwarded-For is sent with the request. Look it up in Wikipedia for a fairly simple description of how it works. That header is not picked up automatically by Apache and PHP. That's where Admin Tools' "Enable IP Workarounds" option in the Configure WAF page comes into play. When it's set to Yes it tells Admin Tools to use that information instead of the IP address Apache determined from the TCP/IP information of the incoming request. The reason this is not enabled by default is that when it's not necessary for your server setup it can be used maliciously.

If that option is already enabled and your clients are still being blocked then it's possible that all clients appear to be coming from the same IP address and one of them did something that blocked them.

There's no way they are auto-blocked by Admin Tools without their IP being stored anywhere in Admin Tools. Admin Tools won't block random IP addresses for no reason.

If you work methodically through this issue you CAN fix it. For example, you could try disabling IP auto-blocking in Admin Tools and check if that works. If it does work then the IPs given to you are wrong. Check the Security Exceptions Log to see which IP addresses are really being recognized as triggering malicious requests and ask the IT departments to tell you if any of these belongs to them. Maybe the started doing some common routing in front of their Citrix Remote Desktop servers, effectively changing the IP address your site sees.

Here are all the places you need to check:

• Web Application Firewall, Site IP Blacklist
• Web Application Firewall, Security Exceptions Log
• Web Application Firewall, Auto IP Blocking Administration
• Web Application Firewall, Auto IP Blocking History

Alternatively, use Web Application Firewall, Unblock an IP to delete any records with that IP address.

Go to Web Application Firewall, Configure WAF, Basic Features. Is "Allow administrator access only to IPs in Whitelist" enabled? If so, go to Web Application Firewall, IP whitelisting and make sure the IP addresses are in that list. Otherwise access to the administrator are of the site will be disabled without it being logged.

Do note that if access is disabled if a. IP whitelisting is enabled but the IP address is not in the IP Whitelist; b. IP blacklisting is enabled and the IP is in the Site IP Blacklist; c. the IP has been automatically blacklisted temporarily (Auto IP Blocking Administration) or permanently (Auto IP Blocking History); or d. the IP is in enough Security Exceptions Log entries to trigger automatic temporary or permanent IP blacklisting (case c) THEN there is no log entry generated about the blocked request. This is a reasonable feature to prevent your database crashing under the weight of someone persistently trying to attack your site after they have been IP blocked.
If that still doesn't help repeat all the steps above AND go to Web Application Firewall, Configure WAF, Basic Features and set "Enable IP workarounds" to No. Now have them retry accessing the site.